Australia’s ‘digital identity assets’ in danger, report
- 06 December, 2018 09:51
A scenario: an agency discovers that thousands of digital land titles have been altered, making it impossible for individuals and companies to prove ownership of their assets.
“The stock market moves into freefall as confidence in the financial sector evaporates when the essential underpinning of Australia’s multitrillion-dollar housing market – ownership – is thrown into question. There’s a rush to try to prove ownership, but nowhere to turn,” writes Anne Lyons, a visiting fellow with the Australian Strategic Policy Institute (ASPI), in a report published this week.
“Banks cease all property lending and business lending that has property as collateral. The real estate market, insurance market and ancillary industries come to a halt. The economy begins to lurch,” Lyons’ paper – Identity of a nation: Protecting the digital evidence of who we are – continues.
The same day, a judge’s clerk finds an error in an online reference version of an Act. It’s been tampered with, but it is unclear how many changes have been made, and whether other laws have been altered too.
“The whole court system is shut down as the entire legal code is checked against hard-copy and other records and digital forensics continue,” Lyons continues.
These data doomsday situations are both catastrophic and increasingly likely, Lyons’ analysis finds. While the number of cyber incidents in Australia continues to rise, governments are not prioritising security for what Lyons refers to as ‘digital national identity assets’.
“What if we had no evidence of who we are, what we own, who governs us, where we have come from?” she writes.
Collective loss
Digital national identity assets is a term covering a broad range of datasets. It includes Hansard transcripts of parliamentary business; newspaper archives and photographic collections; state births, deaths and marriages records; and the passport biometrics collected by Border Force.
Some are specific to Australia’s national identity, for example, the convict records kept in the NSW and Tasmanian state archives; the Lindt Café siege social media collection at the State Library of NSW; and World War I and II servicemen records.
The government in July passed its Security of Critical Infrastructure Act 2018, which allows it to conduct national security risk assessments of and enforce mitigation strategies on companies supplying electricity, gas and water and the operators of ports. Its Critical Infrastructure Resilience Strategy additionally covers food, banking and transport.
Institutions holding digital national identity assets, however, are not recognised as critical infrastructure.
And while critical infrastructure, along with defence, privacy and personal information “attract the headlines, the attention and ultimately the dollars,” Lyons says, Australia’s museums and archives regularly struggle to secure funding.
The loss of an authoritative source of information – say citizenship records or the findings of past Royal Commissions – might sound less disruptive than a state-wide blackout, but the effect could be far worse, Lyons suggests.
“The biggest impact from an attack on national identity assets would be the resulting corrosion of trust in public institutions,” Lyons writes, pointing to Russian interference in other nations’ elections being “corrosive to democracy” regardless of the voting outcome.
Losing a historical archive would also “be likely to cause public outrage and a great collective sense of loss” she adds.
That makes such assets a ‘future frontier’ for terrorists and malicious state actors, the report says.
“Previously, victors rewrote history. Now, in the digital age, our adversaries could rewrite our present. If we aren’t vigilant, we run the risk that adversaries could destroy or manipulate our national identity assets, compromising the digital pillars of our society and culture,” Lyons writes.
Takes a disaster
The vulnerability of Australia’s digital national identity is an “underappreciated national security issue” Lyons says.
Despite its importance “…our vitally important sovereign national identity data and information isn’t being adequately protected and lacks a long-term protection or preservation strategy,” the report states.
That sentiment was echoed by David Fricker, director-general of National Archives of Australia – which holds more than 40 million items from documents about Australia’s single worst naval disaster, the sinking of the HMAS Sydney in 1941 to records on Australian espionage and counter espionage activities – in a speech last year.
He told a parliament house audience “…proper stewardship in Australia of our government information has never been more important to preserving our national security…”
“We have to value our government data holdings as a national asset and within government we have to adjust our behaviours and our policies accordingly,” Fricker added.
Lyons recommends that national identity assets – such as those held by the National Archives and National Library – be recognised as ‘critical infrastructure’. She also recommends such institutions engage with national security agencies to improve their security posture and the Australian Productivity Commission determines the value of the identity data they hold.
The situation is “urgent” Lyons writes. But alas, “sometimes it takes a disaster before a new or upgraded system is funded” she adds.